Security for Personal Data: Personal Data Protection Bill, 2019
The Personal Data Protection Bill, 2019 seeks to safeguard the personal data of individuals while also establishing a Data Protection Authority. The Data Protection Authority shall ensure compliance with the provisions of the Bill and form regulations as and when necessary.
The Supreme Court had declared privacy to be a fundamental right under the aegis of Article 21 of the Constitution. In Justice K.S. Puttaswamy (Retd.) v. Union of India, 2017 (10) SCALE 1, Chandrachud, J. had said that the right to privacy emanates from the right to life and personal liberty.
Consequently, the Bench had declared the privacy of personal data and facts to be an essential facet of the right to privacy. This resulted in the formation of a Committee of Experts (Committee) under the leadership of Justice B. N. Srikrishna. It was the task of the Srikrishna Committee to scrutinize and identify the issues plaguing data protection in the country.
After compiling their findings into a comprehensive report, the Committee proposed the Draft Personal Data Protection Bill, 2018 (Draft Bill). The Personal Data Protection Bill, 2019 draws from the recommendations of the Srikrishna Committee and the Draft Bill.
Read Also – India Income Tax Slab 2020-21
Overview of the Personal Data Protection Bill, 2019
The proposed personal data protection act has a wide applicability. It shall, subject to other conditions, apply to the processing of personal data by:
- The State;
- Companies incorporated in India;
- Any citizen of India;
- Any person or body of persons incorporated or created under Indian law; and
- Foreign data fiduciaries or data processors dealing with the personal data of individuals in India.
However, the principles of the proposed data protection act shall only conditionally apply to the processing of anonymised data.
What is ‘Data’?
Data comprises a representation of information, facts, concepts, opinions, or instructions. In fact, the data should be suitable for communication, interpretation, or processing by humans or by automated means.
What is ‘Personal Data’?
The data about or relating to a natural person is ‘Personal data’. It includes anything capable of identifying such a person such as characteristics, traits, attributes or feature of identity.
Moreover, it could be a combination of features with any other information including data-driven inferences for profiling.
What is ‘Sensitive Personal Data’?
Sensitive personal data covers personal data revealing, related to, or constituting inter alia, health, sex life, sexual orientation, financial data, and religious or political affiliation.
The Central Government can subsequently notify any other personal data as sensitive personal data (after consulting the Authority and the sector regulator concerned).
What are the rights of individuals (Data Principal)?
A Data Principal will have a catalogue of rights:
- firstly, of confirmation and access;
- secondly, of correction and erasure;
- thirdly, of data portability; and
- lastly, to be forgotten.
Additionally, the right to erasure also involves the erasure of personal data not serving its original purpose.
What are the reasons for non-consensual processing of personal data?
Only a handful of reasons would merit the non-consensual processing of personal data. These include, inter alia:
- firstly, instances of complying with any order or judgment of any Court or Tribunal in India;
- secondly, where the State must provide benefits to the data principal; and
- thirdly, where there is a measure to provide health and safety services during an epidemic, outbreak, or a disease threatening public health.
Other “reasonable purposes” include fraud detection and prevention, debt recovery, the operation of search engines, and whistleblowing.
Who are ‘Social Media Intermediaries’?
The Bill defines a “Social Media Intermediary” as an intermediary who facilitates online interaction between users and allows information sharing.
Furthermore, all social media intermediaries, classified as significant data fiduciaries must provide a voluntary verification mechanism for all users in India.
What are the exemptions on the Central Government for processing of personal data?
The State can exempt any agency of Government from the application of the proposed Act for necessary or expedient reasons.
These reasons include the safeguard of the sovereignty and integrity of India or security of the State Additionally, it includes friendly relation between States and public order.
Moreover, the Central Government can exempt any of its agency in pursuit of any of the cognizable offences mentioned above.
Who are ‘small entities’? What are their exemptions for manual processing?
A data fiduciary can be classified as a “small entity” based on:
- firstly, its turnover in the preceding financial year;
- secondly, the purpose of collection of personal data; and
- lastly, the volume of the processed personal data in any single day during the preceding 12 calendar months.
A small entity can relish exemptions regarding, inter alia:
- firstly, notice for collection or processing of personal data;
- secondly, quality of personal data processed; and
- thirdly, restriction on the retention of personal data.
Can you transfer personal data outside India?
Yes, you can transfer sensitive personal data outside India, subject to certain restrictions. Notwithstanding anything, sensitive personal data must be stored in India.
You can transfer such data only after receiving explicit consent from the data principal, and subject to certain additional conditions. Furthermore, critical personal data can only be processed within the country.
Formation, Powers, and Composition of the Data Protection Authority of India
The Act envisages the establishment of the Data Protection Authority of India (Authority). This Authority will hold the power to monitor and enforce the application of the proposed personal data protection Act.
Additionally, it will hold the powers of, inter alia:
- maintaining a database of significant data fiduciaries;
- examining data audit reports;
- issuing, renewing, withdrawing, suspending, or cancelling the certificate of registration of data auditors;
- monitoring cross-border data transfer; and
- specifying codes of practice.
The Bill provides that the Authority shall comprise:
- A Chairperson; and
- Maximum 6 whole-time Members (including one Member qualified and experience in law).
Offences and penalties
A person can commit an offence only for re-identification and processing of de-identified personal data without proper consent.
The offence punishable under this Act shall be cognizable and non-bailable. Moreover, companies as well as the State can be punishable under the law.
Incidentally, one can appeal before an Appellate Tribunal against the Orders of the Authority. The Supreme Court will hear appeals from the Appellate Tribunal.
Non-personal and anonymised personal data
The proposed personal data protection act allows the Government to direct data fiduciaries to provide it with:
- firstly, any non-personal data; and
- secondly, anonymised personal data,
to enable it to better targeting of delivery of services or formulation of evidence-based policies.
The Personal Data Protection Bill, 2019 also amends certain portions of the Information Technology Act, 2000; especially relating to the compensation payable by companies for failing to safeguard personal data.
Shortcomings of the Current Data Protection Framework
Presently, the SPD Rules (Rules) govern sensitive personal data (SPD) or information in India. These Rules derives their authority from Section 43A of the Information Technology Act, 2000. Though these Rules were a landmark enactment at the time of their enforcement, the world has moved on since. The digital economy has been developing at such speed that “some shortcomings have become apparent over time.”
- Firstly, sensitive data has a narrow definition at present.
- Secondly, the Government is not obligated to protect sensitive data.
- Moreover, there have been issues relating to the implementation of the IT Act and SPD Rules.
Therefore, the proposed data protection act—the Personal Data Protection Bill, 2019 aims to do away with such deficiencies. This Bill is supposed to ensure the collective good of the people and become a model legislation for the developing world.
Importance of a Dedicated Personal Data Privacy Law
India does not have a dedicated information privacy law or personal data privacy law unlike some of her foreign friends. The United States adheres to a laissez-faire approach, emanating from its constitutional ideals of liberty as freedom from state control. The essence of the right to privacy lingers in a collective reading of the First, Fourth, Fifth and Fourteenth Amendments of their Constitution.
Incidentally, the European Union also recently enacted the EU GDPR to replace the erstwhile Data Protection Directive of 1995. The GDPR is a comprehensive framework and can act as a guide to enact a robust data protection act. Interestingly, even China has its very own cybersecurity law.
The Srikrishna Committee commented that each of these regimes is founded on each jurisdiction’s personal interpretation of the citizen-State relationship. E.g. the data protection norms of Europe are based on the belief of upholding individual dignity.
This proposed information privacy law in India will exterminate the current data-sharing practices of corporate behemoths at the expense of individuals. Corporations like Facebook, Google, and WhatsApp are gradually facing intense scrutiny regarding the volume and type of data they share.
One can only hope that this proposed data protection framework relating to personal data not only for India, but for Indians, will be the key to empowerment, progress, and innovation.
Try our all-in-one Legal Practice Management Software START FREE TRIAL!